One of the most hated security policies is that of asking users to have different passwords for each different service they make use of. Many see this as unnecessary because they reason that if their chosen password is strong enough then having multiple passwords is an unnecessary precaution.  Worse still, it is not just everyday users that ignore this best practice as we have seen by the HBGray federal compromise; even senior managers, up to the CEO, of a security company had been using the same password on multiple services.

Thinking that a single strong password is effective enough protection is flawed. A strong password might make it very difficult or even impossible for an attacker to crack it, but that’s not the only risk that can result with your password being compromised.

We use many different services, from forums to games, and in each of these we are asked to create accounts for authentication. We have no way of knowing how these work, how secure they are or even if they are legitimate. What if you sign up with a web hosting service, use your really strong 20 character password (which even includes symbols!) and then it turns out that this service is storing that password as plain text?

It might seem highly unlikely but unfortunately it happens, as reported by The Register where InterWorx, a web hosting control panel system, suffered a data breach and they admitted that their system was storing client credentials in plain text. Those clients who used the same credentials on all servers and whose credentials were stolen have figuratively opened their organization’s (and home) doors to these hackers until they change their credentials.

It is also safe to assume there will always be a sizeable gap between identifying an attack, informing the users about it and the users changing their passwords on all their systems, thus giving attackers plenty of time to gain a foothold before the situation is resolved.

Best practices and security policies are there for a reason and it is important that they are followed.

An article on the BBC recently called for people to use stronger passwords in the wake of more computational power available to hackers. We know that security needs to scale as computers become more powerful because security is ultimately a numbers game. A hacker needs to guess the correct numbers to get to the encrypted data and security is all about the amount of time he will likely need to guess those numbers.

The most elementary form of protection is the password. Security systems do not store the password directly, instead they use a hashing algorithm that converts the password to a hash and it is that hash that gets stored. When you type in a password it is converted to a hash and compared to previously stored hash, if it matches it allows access to the user. If someone were to steal the hash of a password he would still not be able to access the system as he would need to generate a string of code that when hashed would generate the same hash he stole. This is more difficult than it sounds because there are literally billions of combinations and moreover the conversion to a hash is somewhat expensive in terms of processing.

How long does it take to crack a password?

There are many factors to consider starting from the type of attack. If your password is a dictionary word it will be cracked within seconds as the attacker is likely to use a dictionary attack. If you don’t use a word in the dictionary an attacker will be forced to use a brute force attack which is basically trying every combination possible. The time spent here is determined by the strength of your password which depends on how many combinations the password has – variations between lowercase, uppercase letters, numbers and symbols. A modern 4 core computer can guess 100,000,000 passwords per second and below is an estimated timeline of how long it will take to crack the password based on that statistic:

The table above shows that a password which uses a mix of lower case, upper case and numbers and has the recommended 8 characters will take approximately 25 days to crack! If your data is time sensitive that should be good enough right? Unfortunately the answer is no.

Security is a numbers game and in the last couple of years the numbers have changed drastically. GPUs (Graphical Processor Units) have all become powerhouses; they are basically super computers on a small chip. It was only natural that password cracking, which is an ideal task for this kind of architecture, would exploit this power. Furthermore these GPUs can be connected together and merge their computational power. It is easy although a little expensive to build a computer with 4 GPUs.

How do GPUs change the numbers?

According to a benchmark I found by a developer of one such password-cracking software that utilizes GPU to speed up the process of decryption, using a GeForce 9800GX2 the software is capable of trying 608 million combinations every second – that’s 6x the speed of a quad core CPU. The bad news doesn’t end there however; the Geforce 9800GX2 is a bit old by today’s standards and is rated at approximately 1 TerraFlop.

A modern Graphic card such as the ATI HD5970 is rated at 5.5 TerraFlops which can yield 33x the speed of a modern CPU. Imagine a scenario where 4 of these cards are installed in a computer and you will have a system that is able to theoretically crunch 13,200,000,000 passwords per second. With such a system the time it will take to crack a password will change as follows:

This kind of performance will currently cost the attacker over $2,800 however with GPUs you can expect that price to half in the next year or two.

The next question is what kind of password do we need in order to retain our comfortable two year cracking time? Luckily adding one more character (thus increasing the length to nine characters for our very strong mixed case, numbers and symbols password) will do the trick, as this setup will take 1.7 years to crack instead of the previous 2.26 years it would take a regular 4 core Computer. If on the other hand you’d rather use an easier to remember mix of lower case and upper case letters and numbers then 10 characters is the minimum length needed to reach the two year mark.

Two years of cracking time is the bare minimum that I would consider secure. Traditionally that would mean a password that is at least eight characters long and consists of mixed cases and numbers; however, in today’s world the current bare minimum is 10 characters for this type of password or nine characters if you also include symbols in the mix. An additional advantage if one uses symbols  in passwords is that an attacker might not include them in his first run of brute forcing thus wasting precious time trying to crack a password.

Keep this in mind next time you create a new password or a password policy.

In a world where a sizable part of any company’s assets or management thereof resides in a computer system, it is more than sensible to expect those systems to be as highly protected as possible. In most cases all the protection hinges on a number of words, one for each person accessing the system. Obviously it’s to be expected that various strategies and policies were created during the computer age to keep these words as safe as possible –  I am obviously talking about the Password.

Security has always been a tricky thing and password policy has been especially taxing for a long time. The biggest problem is that sometimes, policies intended to help strengthen the company’s security, end up hindering it;  this has never been truer than with the history of passwords.

Frequency of Forced Password Change

A common password protection policy is to have the user change the password on a periodic rotation. It can be as short as 30 days; some employ a longer timeframe of 180 days and most settle in the middle with 90 days. The idea behind this policy is if someone were to compromise the password his access will be  limited to that timeframe until the password is changed. Furthermore a brute force attack that is trying to be stealthy / not lock the account by only attempting a few passwords a day as opposed to as many as possible will have its run invalidated after the password changes since the new password might be a combination that it already tried.

The intention here is obviously good; however, it is dangerous due to its unintended consequences. If the user has no complexity rules he is quite likely to choose an easy password because it is difficult to come up with a new password every time. If he does have complexity rules preventing him from creating easy to remember passwords then he will write it down, and possibly attach it to the monitor for everyone to see. The best you can hope for at this point is that maybe the user will still have a small sense of security left in him in which case he might tape the password to the bottom of his keyboard but that’s it.  When forced to come up with and remember a new complex password periodically you can bet that he will write it down somewhere. Furthermore in some cases people still try to stick to the same password and get around restrictions such as not being able to use the last 6 password with something like adding a sequential number after the same old password and simply adding 1 to it each time they’re forced to change the password.

Complex Password Policy

Another common policy is to enforce a password complexity policy. Such as, a password must: be at least 8 characters long, have multiple case letters and numbers. The idea here is to make the life of a brute force attack difficult by ensuring that many  combinations need to be tried out.

The risk here is users who find it hard to remember what they created and end up writing it down or using a simple complex password that’s so common it’s like having no password at all, such as “P4ssword”.

IT generates password for users

One thing you can always count from users is that they will always come up with a password that is a lot easier then you intended. Force users to create a password that has both letters and digits and lower case and upper case and you can be sure more than one will come up with “P4ssword” or a variation of it. Another thing you can be sure is that such a password and all of its variation are in various, if not all, password cracking dictionaries.

To mitigate this problem some companies do not allow users to create their own passwords but the IT department generates one for them.

The password generated will surely be strong however it’s likely that it will be impossible to remember especially since the user will have nothing to relate it to. Being unable to remember it, this nearly forces the user to write it down making the strong password useless.

Every single system has its own password

The idea here is very straight forward. If one password is compromised the rest of the systems are still secure because they have a different password.

The idea is great; however, it’s already hard to have a user create one or two strong passwords that he needs to remember. The more passwords you force him to create and remember the more likely he will make them easy to remember. In the worst cases it will be small variations of the same easy to remember password.

What should one do?

How can one tackle this scenario? Should we ignore all the security recommendations? Are they useless? Obviously the answer is no. However it is important to find a good balance. Policy that will frustrate the user is more likely to be ignored than policy which doesn’t inconvenience him much. Ultimately it all boils down to personal choice and finding the right balance. It can also boil down to shifting some of the risk from the password itself to the infrastructure or procedures such as monitoring.

Below are some suggestions:

Password Frequency

Personally I would not go with a small password change timeframe. I would set it to at least 180 days. I would then mitigate the extra risk this generates with better monitoring by tracking each successful connection which doesn’t originate from the usual/allowed IP addresses as well as successful logins outside of work time and take pro-active action when this happens.

Password Complexity

Passwords need to be complex. I would not however just put in a complexity policy and leave it at that. I would also include a little education with it. It can be just a guideline document or maybe better still a small one to one talk with someone from IT that would explain what the policy is about and more importantly some tips and tricks to new employees as part of their orientation. Tips and tricks will be discussed further on in this article.

Password generated by IT for users

I would definitely avoid this. Having passwords generated by IT will result in complex passwords that are impossible for the user to remember. The desired strength benefit will be far outweighed by the added risk of having the password written down, possibly in plain sight.

Multiple Passwords

I would also recommend that as much as possible there should be a few or even one unified authentication system. The biggest benefit would be that a single system is easier to implement and test, thus one can ensure that it is well implemented and robust. Secondly it’s by far better to have one password that is strong than multiple weak passwords. I would also stress again the importance of monitoring. Action should be taken immediately when a breach happens.  This however is a personal choice. Having one authentication system with only one password means that anyone breaching the system will have access to everything. That being said, it is quite likely that someone who has breached one system will quickly breach more so it might be an acceptable risk.

Training

One might have the strongest password in the world but if it is not well protected it will effectively become weaker than the easiest of passwords. Users must be  taught how to take care of their passwords –  never write them down; never  use them on a wireless connection that isn’t properly secured in the care of the company or directly of the user; never  use the password inside of an internet café and  never store it in a file on your computer or mobile phone.

Tips and Tricks

The biggest enemy of a strong password is always the difficulty to remember it.. This however can be mitigated if the password is created the right way. There are various tricks in order to achieve this. The easiest would be to use a phrase, substitute a letter with a number and add a fixed amount to each number to break the leet speak pattern.

Step by Step Example:

1. Select a phrase: DoNotAccessMyData
2. Change o to 0: D0N0TAccessMyData
3. Add 1 to the digits: D1N1TAccessMyData

Only one letter to digit conversion was performed so as to make it easier.

There are more advanced tricks as well such as selecting a phrase, using the first letter of each word as part of the password and using alternating case and changing letters to digits and adding a fixed amount to it. Example:

1. Select a phrase of at least 8 words: My Computer Is Secure If I Use This Password And Do Not Write It Down
2. This gets converted to: McIsIiUtPaDnWiD
3. Changing I to 1 and s to 2: Mc1211UtPaDnW1D
4. Adding 1 to remove the leet speak pattern: Mc2322UtPaDnW2D

This is a little harder to remember but impossible to guess and a lot of combinations to brute force.

Some things that you should not do if you want a strong password:

• Never use a password from an example such as the ones above
• Do not simply convert words to leet speak, try to avoid it as much as possible
• Do not use names as passwords
• Do not use normal words in any language as a password
• Do not use personal information such as telephone number, spouse name, children’s name or even pet’s name as a password as these are guessable (even if no one in the universe knows your cat is called Thomas, Thomas is a name that is surely to be found in a hacking dictionary)
• Do not write down the password

Closing Thoughts

No matter how many precautions you take and even if every user of a system follows every recommendation to the letter you’re always risking that at some point in time a password will be compromised. There are a lot of ways in which this can happen: Interception, Social Engineering, Compromise, exploit of the Authentication mechanism, key logger and more. The best approach is to assume that one day the system will be compromised and act accordingly. Be sure to put monitors in place to detect any unauthorized access, be it a login outside working hours to a login from a new unusual IP address. It is a lot more desirable to get a false notification than giving a hacker who compromised your system time to gain a foothold on your system.

It is also important to consider that the password is only part of the equation. The infrastructure on which the password is used needs to be secure itself. If no one needs outside access to the internal network then make sure that it is blocked by a firewall. If only a few need access then explicitly allow access to only their machines. Monitoring events generated by a machine can indicate that a machine is under attack. If the same host is repeatedly trying to break in extra measures can be taken to stop him and also have the account disabled after a certain amount of failed logins.

We all know how important a password can be. This is especially true when that password is used on multiple systems. In my past articles I have talked about how to protect one’s passwords from compromised machines that could have Trojans installed on them.

There are however many more risks to this.

Wireless access points

We’ve all been at an airport waiting for hours for our connection flight. In most cases we have laptops, PDAs or even mobile phones that can connect wirelessly to the internet provided we find an access point to use. Sometimes you find a paid service that allows you to access cyberspace, whilst other times you hit the jackpot and find a free access point. The same happens at bars and restaurants, but what’s the implication of this? The truth is that you do not really know what you’re connecting to! It could very easily be a malicious person sitting nearby with his laptop, providing an open access point in order to sniff everything that he proxies through.

Even with paid services, one isn’t necessarily safe. It might be a scheme to get your credit card details. One small PDA in a hand luggage, a laptop for a casual person doing whatever while his PC is waiting to capture the credit card details entered by a victim who believes that he’s buying wireless access from some major vendor only to be told that the transaction failed. No big deal, when he checks the balance he will not have been charged, that is until his stolen credit card is used. However it’s likely to happen months later and even if you remember this particular incident and make the connection you’re surely not going to remember the face of every person with a laptop at the airport on that day!

Even at shops, bars and restaurants you don’t really know what’s happening to your data as you surf away. It might be that some employee at that establishment is logging all traffic going through its network. It’s quite likely that a bar providing free internet access will not monitor his systems closely so it might have been compromised and a malicious hacker could be monitoring all that is going through the network. It could also  not be the bar’s wireless network at all, maybe it’s the hacker next door who sets up an open relay to exploit his optimum location close to a bar to be able to spy on anyone who happens to connect to his system.

In any case it is essential to keep in mind that whenever you log in to a wireless access point that you do not control, you are taking a security risk.

Internet Cafés

With internet Cafés it’s mostly the same story as with the internet access points above. While it is less likely that the establishment is spying on you intentionally, it is quite possible that someone who used the system before you actually managed to compromise it and install key loggers / Trojans to monitor whatever you will be doing.

Satellite Systems

In this modern age satellites are being used for everything; from television to radio, positioning data and even providing internet access to remote areas. In most cases satellite internet is pretty fast and its only technical draw back is latency and some way to upstream. There is also a pretty nasty security issue with it as well. Wireless sniffing has made it easier to penetrate networks by allowing people to gain physical access to your network connection by proximity, instead of either needing physical access to the wire or a point between you and the destination. Satellite makes the situation worse because whatever you access though a satellite connection is transmitted to everyone in a geographical range the size of a continent! Anyone with a satellite dish can sniff any satellite transmission (some are encrypted but the majority are not and there is a technical reason for this) and they do this from the comfort of their home without any risk whatsoever.

Workplace

This one is probably the least obvious. Your passwords are at risk on your Work network as well. If a disgruntled employee is running a sniffer on his machine it is possible that he might sniff passwords or confidential information that is traveling along the network. The amount here could vary depending on the network topology and infrastructure. We already discussed in a previous article how it is possible to sniff printouts which can then be replayed to any printer and reprinted. Passwords, confidential emails, confidential documents and even chats can provide a wealth of information that in some cases could possibly be valuable to a disgruntled employee who might want to get back at his employer.

What to do about it?

Now that we’re aware of the risks what can we do about them? There is no straight answer for this. The best thing is to not access any confidential data on an open connection such as wireless and Satellite. Use systems that require authentication only if the connection is encrypted. Internet cafés are another story; here encryption does not provide enough security. It is quite possible they might have key loggers and that your encryption will not protect your passwords at all. It might be safer to connect your own laptop whenever this is allowed, although there is still another risk because it might open you up to virus attacks since some machines on the network might be infected. Ultimately one must always be aware of security threats and avoid any potentially harmful scenarios wherever possible.

Now a new academic study shows that only 4% of corporate IT users stick to password rules created by IT administrators and clearly defined in their security policies.

The bad news for administrators is that the majority of employees don’t care what the policies say and even if they are forced to use strong passwords (through Windows’ security policies) they are still leaving the password written on a post-it note on the monitor or next to the computer.

The research, carried out at the Wisconsin-Madison and IT University, Copenhagen, looked into the password habits of 836 employees at a company that handle sensitive information about their use of IT systems.

Over the past few years, a lot of attention was focused on the deployment of hardware and software solutions to improve computer and information security and while there have been massive improvements, the stark truth is that a single user password can make the best protected systems vulnerable.

When you have employees writing down their passwords (usually used for multiple accounts), leaving them on their desk for all to see, and choosing passwords straight out of a dictionary, then that organization has a problem on its hand.

The problem, I believe, is that computer users are not bothered with strong passwords because they don’t understand what all the fuss is about. So what if  their work credentials are the same as those used for their Yahoo! mail, their MSN account, their online banking account and the two or three social networks they use. So long as the password can be remembered, they are happy.

With social engineering becoming an art form in itself, the risk of identity theft is extremely high. If an employee uses a single password for every account he or she has and that is discovered (last week’s phishing attack showed that there are no guarantees) what is there to stop someone from finding out where they work and use those same credentials to enter the corporate network? Far-fetched? I don’t think so.

One positive that can be taken from the survey is that there is a strong correlation between weak passwords and user type. Stronger passwords were used by those with considerably more experience. This could indicate that with proper training and awareness people can change their habits.

Then again weak passwords were already a problem in 1979 with UNIX users.

Is the battle lost? Not really, but it means that security cannot be taken for granted despite advances in technology. Humans and the way they interact with machines remains the weakest link in security.

A researcher who managed to look at the 10,000 or so Hotmail, MSN and Live.com passwords published an analysis of the list and the strength of passwords used.

According to the analysis, one of the simplest passwords around, ‘123456’ appeared 64 times in the list. Undoubtedly, those account users would do well to change it as soon as possible but judging by people’s attitudes towards passwords, I doubt that many of those 64 account holders will choose anything more complex than adding an ‘a’ at the beginning.

Some of the other statistics are quite interesting. Forty-two percent of the passwords only use lowercase letters from ‘a to z’, while only 6% used mixed alpha-numeric and other characters.

The analysis shows that one-fifth of the passwords were only six characters long although the longest had 30 characters. The shortest was 1 character long.

A good number of passwords were formed using first names which is just as secure as having no password at all.

As Emmanuel Carabott explains, it is very important that people not only create strong passwords but they also change them regularly. Furthermore, it is good practice to use different passwords for different accounts so that if one is compromised, your other accounts or memberships will not be affected.

A lot of people are worried that if they use very strong or long passwords, they will forget them and not be able to access their email. While this is a valid point, it is possible to create a strong password that you can and will remember. For example, you can choose a phrase or a combination of words that are of particular significance: I love chocolate. By changing a few characters you can create a strong password:!loveCh0c0late.

Read the following Technet article for guidelines on choosing strong passwords.

A password consists of a string of characters which is required to gain access to a resource, such as a network, document or database. With the use of such a password (generally in conjunction with a username) one is able to prove their identity and ultimately access the resource required. As with every security implementation, there exist a number of ways to counterfeit such security practices.

Over the past years a number of ways to crack passwords have been developed such as Brute-force attacks and dictionary attacks. Brute-force attacks attempt to guess the password until a successful guess occurs, whilst dictionary attacks uses a dictionary file containing a number of common words to attempt to find the user’s password. A number of hybrids have evolved which try combinations of these two methods such as rainbow tables.

With the evolution of such password cracking technologies, one needs to ensure that the password being used to protect your system and data must reach a certain complexity level, which will hinder the possibility of your password being cracked.

This blog entry describes different types of password that can be used and their efficiency and effectiveness.

Simple Passwords

These passwords generally consist of a single word such as a name of a pet or a single word which is normally found in a dictionary. It is unwise to use such passwords given that they are easily guessed with the use of dictionary attacks. An example of a dictionary password is ‘world’.

Passwords containing Non-Alphanumeric Characters

Increasing password complexity reduces the risk of an attacker from guessing your password. Most security experts believe that a password should consist of a selection of numbers, letters (both uppercase and lowercase) and non-alphanumeric characters such as $, %, !. Such passwords are difficult to guess with your typical dictionary attack since the password would not be found within your dictionary file. An example of such as password is ’Pr0f3$$10n41’, in which specific characters are replaced with specific non-alphanumeric characters. However, modern dictionary attack applications being used to crack passwords also have an option to replace standard characters with non-alphanumeric ones, making this password vulnerable to modern dictionary attacks.

An effective implementation of this technique is to gather a series of different characters and place them together such ‘A8!bfe1(3’ which makes it very difficult to cracked using a dictionary attack, however such passwords are hard to remember and too complex for an average user.

Passphrases

Passphrases are longer than your average password, and they consist of a number of words which make it much harder to guess by the attacker through brute force or dictionary attacks. An example of a passphrase password would be ‘iliveinahouse’. Passphrases complexity can be increased by adding some form of punctuation between words such as underscores ‘_’ or commas ‘,’

Symbols

Symbols which are not found on a keyboard can also been used within passwords. Symbols can easily be used as passwords by holding the ALT key and then typing in the symbol number on the number pad. An example of such a password is ‘Registered®Password’. The ® character is inserted in the password by typing ALT-0174. Other symbols that can be used are: Alt-0189 – ½ ; Alt-0167 – § ; Alt-0169 – ©.

Apart from the fact that traditional password cracking techniques do not normally take such symbols into consideration, another advantage that symbols offer is that it helps protect against shoulder surfing.

Symbols are even more effective when used in conjunction with passphrases and non-alphanumeric passwords.

Password Length

The longer your password, the more secure it is. It is recommended to have your passwords as long as possible, however ensure that they are long enough for you to remember. Security experts believe that passwords should be a  minimum of 10 characters long.

Any system with a weak password within your network can prove to be an entry point for an attacker; therefore it is critical to improve the overall complexity of passwords used within your organization.  Most operating systems can now be configured to only accept passwords of a certain complexity. Password complexity security policies can be introduced within a domain, and all passwords which are required by the operating system must adhere to such policies or otherwise will not be rejected by the Operating System.  There are other password related policies which help deter potential attackers such as enforcing password length, expiring passwords after certain amount of days and prohibiting the re-use of passwords, but this is a discussion for a separate blog entry.

Passwords

Passwords are the most common authentication method. They are so popular that everyone – or at least all network administrators – should know how to use them effectively. However there are still many cases where users have passwords that are either easy to guess or they simply write their passwords on a piece of paper that is placed on the desk and therefore available to anybody who passes by.

Why is this happening? Usually it is either because the security policies do not enforce enough security or because they enforce too much security.

When there are no constraints on the complexity of passwords, users will generally set simple and easy to remember passwords and they will never change them. The usability of the system in such cases is good:  users will not have problems to access the system because they forgot their password. However, these easy to remember passwords (usually) mean that they are also vulnerable to password guessing attacks.

On the other hand if people are forced to set extremely complex passwords, a different set of problems will arise with the same effect: the security system can be easily bypassed. If passwords cannot be remembered most users will either write them down or, of course, forget them.  This is not a good thing. If passwords are written down, some users will stick the paper on a side of the monitor or put it under the keyboard. If passwords are forgotten then users will often spend time calling support or using the “Forgot your password” service. It is not difficult to find people that are annoyed by extreme security measures. And in case of services provided online this can lead customers to consider alternative services that are easier to use.

Windows User Account Control (UAC)

Windows UAC is probably the best example of how difficult is to keep the equilibrium, even for big and experienced players like Microsoft.

Windows XP does not have UAC and it is an excellent operating system from a usability point of view. This is the reason why it is still so widely used. However over the time it had important security problems.

A key factor that generated a large part of security issues in Windows XP is the over use of administrator accounts. Software developers used to assume that users have access everywhere and design their applications accordingly. Users were using administrator accounts even for trivial tasks and this was partially because lot of applications did not work otherwise. Malicious software benefited a lot from this situation. Because users were administrators, malware code was able to infect core system files causing significant, and sometimes irreversible, damage.

Microsoft realized that they had to change something and the result was Windows Vista, an operating system designed with security in mind. User Account Control (UAC) is one of the new security components that were introduced in Vista and it is a set of features that allow users to perform common tasks as non administrators.

How does it work? Basically all accounts, even administrators’, are running by default with privileges of standard users. Each time an operation that requires administrative privileges is to be executed, the user is prompted – via a secure desktop – to confirm that he is aware and wants to continue the operation. Clicking yes, or providing administrator credentials in cases where a standard user is logged on, will elevate the privileges to administrator and the operation will execute successfully. However the privileges are elevated for that program only. Each application that performs operations which require elevation will generate at least one UAC prompt.

This approach started to make users more aware about the changes performed in their system. Another effect is that most users got annoyed by the large amount of UAC prompts, thus forcing developers to fix their applications so that they will run without unnecessarily asking for administrator privileges.

While Windows Vista UAC is great from a security point of view, regarding usability it is enough to say that the first result when searching on Google using “Windows Vista UAC” is a page with the title “Disable User Account Control in Windows Vista”.

Will Windows 7 ship with an updated UAC to finally get the right balance? It seems so; however, the path is not so straight forward.

The feedback received from customers on Windows Vista UAC was processed by Microsoft and Windows 7 BETA was released with an updated version of UAC. The updates were to improve usability by reducing the number of UAC prompts. Although Windows 7 UAC can be configured to behave like Windows Vista, the default state allows Windows components to auto-elevate without prompting the user.

At first sight this solution seemed to be perfect. Huge usability improvement – the number of annoying UAC prompts reduced – while making no major compromises regarding security. Unfortunately the right balance was still not there yet. An important security flaw was discovered: through auto-elevation it was possible to disable UAC without having the user notified. Microsoft’s initial reaction to this was a bit strange for a security community. They said that the behavior was like that by design and it would not be changed. Finally Microsoft admitted that it was an issue that must be fixed and in Windows 7 Release Candidate (RC) – which is currently available – changing UAC level gets special treatment and it always prompts you if you choose to disable it.

Did Microsoft finally get it right? Time will tell. The fight is not over yet. There are still people complaining about asking non qualified people to take important decisions about security, even with the reduced level of prompts from Windows 7. And there are voices that say security should not be compromised and Windows Vista UAC is better.

Nevertheless the examples above are not isolated cases. There are plenty of other similar situations. I know people whose machines got infected even with an antivirus solution installed and up to date, just because the real time monitoring component was turned off. Why it was turned off? It was slowing down the computer…

Security applications and security policies should be designed to interfere minimally with the normal working flow of the user. If they are too intrusive people tend to bypass them and the systems will fail to achieve their main goal:  enforcing security.